Posted by: David Harley | March 26, 2015

Cracking Your iGadget PIN

This isn’t the first time I’ve looked at PINs, and on occasion I have done so in the specific context of iOS devices: in fact, I spent some time on researching PIN and password selection strategies after encountering some analysis by Daniel Amity on an anonymized sample set of 204,508 PINs used by iGadget owners to access his Big Brother application, after he kindly made his data available to me. As I said at the time:

While we cannot assume that a choice of passcode for Big Brother would reflect either screenlocking passcode selection or PIN selection practice, it seems reasonable to assume that, given the size of the sample, there is likely to be some correlation

At the time, iGadgets offered a choice of passcode modes for screenlocking: off, simple four-digit passcode, or a more complex passcode. (It’s a little more complicated with recent versions of iOS.) And while I certainly wasn’t discouraging anyone from using a complex passcode, I was initially concerned to dissuade anyone from using the most used PINs – for instance, the ones that fall most easily under the fingers like a single repeated character (ergonomic strategy), or that are most easily memorized, as when numbers are paired with letters. (For instance, 5683 could easily correspond to L-O-V-E.) After all, Amitay’s research indicated that 15% of all iPhone owners were using one of the ten most common passcodes. (5683 was one of that top ten.)

In some ways, the combination of a good passcode or password and a limit on the number of retries is hard to beat (in the absence of alternative approaches such as offline brute-force or guessing attacks). ATMs have a habit of swallowing smartcards after the third failed PIN entry. Similarly, smartphones tend to have an option to erase data and/or render the phone inaccessible after a set number of unsuccessful passcode entry attempts. In iOS, there is an option to erase after ten attempts. (Otherwise, the device is just temporarily disabled.) So it would seem that avoiding a fairly small subset of common PINs should keep you fairly safe where this combination of defences applies.

But what if that restriction can be bypassed? MDSec reports that for £200 the company was able to acquire a device called an IP Box that is used to automate brute-forcing the iOS screenlock passcode. Algorithmically speaking, that’s trivial for a 4-digit PIN: all you have to do is cycle through all the permutations from 0000 to 9999: if you could do it offline, you could do it almost instantly with a small program. But what about that ten-strikes-and-out limitation?

According MDSec the IP Box bypasses it:

“by connecting directly to the iPhone’s power source and aggressively cutting the power after each failed PIN attempt, but before the attempt has been synchronized to flash memory. As such, each PIN entry takes approximately 40 seconds, meaning that it would take up to ~111 hours to bruteforce a 4 digit PIN.”

Not something you’re likely to do to someone’s phone while he nips to the restroom, but certainly not a major obstacle if you have a stolen phone and a few days to spare.

In the real world, there are a number of steps you might be able to take to deal with stolen data and connectivity on a stolen or lost smartphone, including remote wiping, once you’ve noticed that it’s gone. But as Graham Cluley has already pointed out, it’s well worth the additional security to:

“Change your iPhone password from a simple 4 digit numeric code to a longer, more advanced version, which can include letters and symbols as well as numbers.”

Of course, the same applies to other devices.

David Harley
Small Blue-Green World

Posted by: David Harley | March 18, 2015

Android, iOS, and OS X


1) ITSecurity blog updated to take into account OpenSSL’s advisory.

2) Patrick Wardle’s paper on Dylib hijacking on OS X is now available via the Virus Bulletin blog.]

I’ve just posted an article on on Android exfiltration, OpenSSL, and iOS app memory handling (so I won’t cover those issues again here, but there are pointers to some articles that particularly interested me).

However, there are also a couple of interesting articles around on OS X security issues.

“As described by Macissues, users of recent Safari versions on the newest flavours of OSX are finding that so-called “private” URLs are turning up in the SQLite database that stores Favicons.”

The issue isn’t addressed by the new Safari update.

David Harley
Small Blue-Green World


Posted by: David Harley | March 11, 2015

OS X and iOS the most vulnerable operating systems?

There’s a recent article from me for ESET on OS X and iOS, and the assertion that they’re the most vulnerable operating systems: Operating System Vulnerabilities, Exploits and Insecurity.

The assertion was made by Cristian Florian in an article for GFI’s on the Most vulnerable operating systems and applications in 2014, based on data from the National Vulnerability Database.

I wouldn’t say it was completely wrong, but I do think it’s misleading. And I discuss the reasons why in some detail in the ESET blog.

Top marks for pedantry to Charles Schloss (@chasapple) who pointed out, quite correctly, that OS X is now described simply as OS X, not as Mac OS X (it has been since the release of Mountain Lion), implying that there were no patches last year.


David Harley
Small Blue-Green World

Posted by: David Harley | February 23, 2015

A headline of little importance

This is a depressing headline: Survey: Mac users more educated, less Harley-loving. ;)

It’s actually quite an old story (2011) that popped up in my search engine while I was looking for something completely different, but you may find it interesting. On the other hand, you might wonder whether the survey did a better job of reinforcing stereotypes than of providing useful insights. At least it apparently worked on a large dataset:

…it took answers from 388,315 people and then cross-referenced the data with other questionnaires in order to cull vital computing information.

I say apparently, because the survey has disappeared, apparently following the acquisition of Hunch – a site that made recommendations to users based on the tastes and opinions that they entered into the system – by eBay in 2011.

As you’ll already know if you tried to follow the link in that quote, URLs now redirect to eBay, leaving only some amusing third-party commentary on untestable conclusions. Sometimes that feels like the internet in microcosm. I think I feel a conference abstract coming on.

David Harley

Posted by: David Harley | February 12, 2015

OpinionSpy resurgent

Some of us were slightly confused back in 2012 when Intego flagged a problem with the alleged spyware/adware program it calls OSX/Opinionspy – a market research program calling itself PremierOpinion.

A few days ago, however, Thomas Reed flagged what appears to be a more recent version in article on The Safe Mac and after further research by Intego, Graham Cluley has published an article on the company’s blog that expands on the story. Read more about it on the ITSecurity UK blog.

David Harley
Small Blue-Green World

Posted by: David Harley | January 29, 2015

New blog for Infosecurity Magazine

My first blog article for the Infosecurity Magazine site for a couple of years. I don’t plan to restrict any future articles there to Apple-related topics, but as it happens, this is one refers to a scam that has been directed to Android, iPhone and OS X users.

Tapsnake Infection: Not Very Likely

Tap Snake was an Android app classified by security companies as spyware because it transmitted the location of the device it was running on to a remote server. The app is no longer available from Google Play, and it wasn’t available for iGadgets, let alone OS X, but there have been reports that users of those systems have been told that they have been exposed to Tap Snake so as to persuade them to install a particular security application.

David Harley
Small Blue-Green World 

Posted by: David Harley | January 23, 2015

Snowden snubs smartphones

So apparently I have something in common with Edward Snowden: I don’t have an iPhone either. However, in my case it has less to do with paranoia about tracking software and more to do with not being smartphone-oriented (though from the sound of it he favours a phone that’s even dumber than mine). Apple claims that:

On devices running iOS 8, your personal data such as photos, messages (including attachments), email, contacts, call history, iTunes content, notes, and reminders is placed under the protection of your passcode. Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data. So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.

HT to Alan Martin, from whose blog for ESET I elicited this fascinating snippet. Well, not very fascinating…

David Harley
Small Blue-Green World

Posted by: David Harley | January 23, 2015

Project Zero switches targets

Having made public three Windows issues (as reported by Arstechnica), Google turns its guns on Apple with three OS X issues. Specifically:

Don’t panic, though: an attacker would have to have direct access to the system to take advantage of the breaches. What’s more, the second issue may already have been addressed in Yosemite. (Unconfirmed.)

This article also refers.

David Harley
Small Blue-Green World

Posted by: David Harley | January 19, 2015

Siri Steganography

Sadly, I’ve already used the title Siri, are you a blabbermouth? and in any case it’s not quite as appropriate in this case. I was just reminded of it by the title of the Register article by Richard Chirgwin: Siri? Are you seeing another man? The sub-title – Steganographic man-in-the-middle diddle can force Apple’s digital assistant to spill secrets – overstates the issue a bit, though. (But I guess that’s what sub-editors do…)

It’s a proof of concept rather than a practical attack as described here – and there’s still plenty of mileage in visually-borne stenography if that’s a concern to you – but it’s kind of interesting anyway. I just hope Siri isn’t learning bad habits from Cortana (or vice versa).

David Harley

Posted by: David Harley | November 8, 2014

More WireLurking

I’m sure there are lots of other articles about this, but I’m trying not to track them: it’s the weekend and I have a couple of days holiday left! Randy Knobloch flagged some more links, though, including these:

Tielei Wang is quoted in the latter article as saying that:

…similar attacks could come through computers running Windows and Linux operating systems…

In fact, I came across a Register article citing AlienLabs’ discovery of an earlier, less successful Windows-targeting variant, while Macworld pointed out that

…the older WireLurker variant had binary code for three different architectures: 32-bit ARMv7, 32-bit ARMv7s and 64-bit ARM64.


David Harley
Small Blue-Green World

Older Posts »



Get every new post delivered to your Inbox.

Join 44 other followers